An Insider’s View of What Hacker’s are Doing to Get Organizational Information

This week, both The New York Times and Wired.com, released articles that shed some light on how cyber-thieves hack into organizational databases, and what kinds of information they are looking for. What the reporters exposed is enough to make any business owner rethink what their risk management policy (if any) is towards information technology, or more specifically, information security. In The Times article, we are introduced to a soft-spoken 20 year-old Chinese college graduate that goes by the codename "Majia."

"With a few quick keystrokes…[Majia] calls up a screen displaying his latest victims. ‘Here’s a list of the people who’ve been infected with my Trojan horse,’ he says, working from a dingy apartment on the outskirts of [a]city in central China. ‘They don’t even know what’s happened.’”

"As he explains it, an online ‘trapdoor’ he created just over a week ago has already lured 2,000 people from China and overseas — people who clicked on something they should not have, inadvertently spreading a virus that allows him to take control of their computers and steal bank account passwords."

Wired.com’s article spoke to the recent Google v. China chess match relating to cyber-security. What we’ve known so far through media reports is that hackers had gained access to intellectual property via Google users Gmail accounts. Now, a Virgina-based computer forensic firm has created a report which suggests that the "attack that hit Google is identical to publicly undisclosed attacks that have quietly plagued thousands of other U.S. companies and government agencies since 2002 and are rapidly growing. They represent a sea change from the kinds of attacks that have commonly hit networks and made headlines." The article does a great job in outlining for the lay person what kind of information hackers are hoping to obtain.

"Called Advanced Persistent Threats (APT), the attacks are distinctive in the kinds of data the attackers target, and they are rarely detected by antivirus and intrusion programs. What’s more, the intrusions grab a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures."

Law Firms/Lawyers Beware!

"One mark of APT attacks is that they have especially hit companies with dealings in China, including more than 50 law firms. ‘If you’re a law firm and you’re doing business in places like China, it’s so probable you’re compromised and it’s very probable there’s not much you can do about it,’ Mandia says. In 2008, [the Virginia-based computer forensic company] investigated a breach at a law firm that was representing a client in a lawsuit related to China. The attackers were in the firm’s network for a year before the firm learned from law enforcement that it been hacked. By then, the intruders harvested thousands of e-mails and attachments from mail servers. They also had access to every other server, desktop workstation and laptop on the firm’s network."

As Majia points out, the lure of money, lack of enforceability of laws related to cyber-crimes (in China and elsewhere), and the low risk of actually getting caught, make the profession of a cyber-thief very enticing for an enterprising individual. Eventually, organization’s, especially those in the U.S., are going to have to talk about the 2 ton elephant in the room – their inability to secure its most valued asset, information. Technology that works in conjunction with PEOPLE and PROCESSES is the only way for them to mitigate their risk exposure (i.e. Data Governance).